Trivy v0.70.0, released on April 17, 2026, focuses on refining performance, bolstering security reporting, and improving scanning accuracy. This minor update from Aqua Security is crucial for QA engineers relying on Trivy for their DevSecOps workflows.

Key Changes

Performance: A notable optimization improves directory traversal for plugins, replacing filepath.Walk with filepath.WalkDir. This change can lead to faster scan times, especially in environments with deep directory structures or numerous plugins.

Security & Reporting: The update introduces support for CVSS v4 vulnerability ratings within CycloneDX reports, providing more current and detailed security context. SBOM generation sees improvements, including preserving Red Hat BuildInfo when layer information is absent and adding NOASSERTION for license fields in SPDX non-library packages. SARIF reports also now correctly set the ROOTPATH URI when scanning Git repositories, ensuring accurate linking.

Scanning Accuracy & Stability: Several fixes enhance Trivy’s ability to scan specific project types:

  • Python: Addresses issues with multiple version specifiers in requirements.txt and resolves nil pointer dereferences with optional Poetry groups without dependencies, making Python project analysis more robust.
  • Vulnerability Detection: Improves the detection of vulnerability fields in Azure and Mariner detectors.
  • General: Validates template file extensions, preventing potential misconfigurations.

Impact for QA Teams

QA teams will benefit from faster security scans, leading to quicker feedback loops in CI/CD pipelines. The improved accuracy in SBOMs and Python dependency analysis means more reliable vulnerability detection and fewer false positives. The inclusion of CVSS v4 ratings offers a more precise understanding of security risks, aiding in prioritization and reporting.

Official Source: For detailed release notes, refer to the Trivy v0.70.0 GitHub Release.